rule malrtf_ole2link : exploit {
	meta:
		author = "@h3x2b <tracker _AT h3x.eu>"
		description = "Detect weaponized RTF documents with OLE2Link exploit"
	strings:
		//having objdata structure
		$rtf_olelink_01 = "\\objdata" nocase
		//hex encoded OLE2Link
		$rtf_olelink_02 = "4f4c45324c696e6b" nocase
		//hex encoded docfile magic - doc file albilae
		$rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase
		//hex encoded "http://"
		$rtf_payload_01 = "68007400740070003a002f002f00" nocase
		//hex encoded "https://"
		$rtf_payload_02 = "680074007400700073003a002f002f00" nocase
		//hex encoded "ftp://"
		$rtf_payload_03 = "6600740070003a002f002f00" nocase
	condition:
		uint32be(0) == 0x7B5C7274
		and all of ($rtf_olelink_*)
		and any of ($rtf_payload_*)
}

rule exploit_ole_stdolelink {
  meta:
    author = "David Cannings"
    description = "StdOleLink, potential 0day in April 2017"
    score = 55
  strings:
    // Parsers will open files without the full 'rtf'
    $header_rtf = "{\\rt" nocase
    $header_office = { D0 CF 11 E0 }
    $header_xml = "<?xml version=" nocase wide ascii

    // Marks of embedded data (reduce FPs)
    // RTF format
    $embedded_object   = "\\object" nocase
    $embedded_objdata  = "\\objdata" nocase
    $embedded_ocx      = "\\objocx" nocase
    $embedded_objclass = "\\objclass" nocase
    $embedded_oleclass = "\\oleclsid" nocase

    // XML Office documents
    $embedded_axocx      = "<ax:ocx"  nocase wide ascii
    $embedded_axclassid  = "ax:classid"  nocase wide ascii

    // OLE format
    $embedded_root_entry = "Root Entry" wide
    $embedded_comp_obj   = "Comp Obj" wide
    $embedded_obj_info   = "Obj Info" wide
    $embedded_ole10      = "Ole10Native" wide

    $data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
    $data2 = "OLE2Link" nocase wide ascii
    $data3 = "4f4c45324c696e6b" nocase wide ascii
    $data4 = "StdOleLink" nocase wide ascii
    $data5 = "5374644f6c654c696e6b" nocase wide ascii

  condition:
    // Mandatory header plus sign of embedding, then any of the others
    for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
        and (1 of ($data*))
        and extension != ".msi"
}
